Malware Analysis Report

2024-11-16 13:27

Sample ID 240730-1k85gazhmq
Target 161db86eb5f9237449a1027c1f63f310N.exe
SHA256 9b3643ecbf7402006d8cf776811ae5190d1a70a8bd3ac491c7c20a8d97691efb
Tags
urelas discovery trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9b3643ecbf7402006d8cf776811ae5190d1a70a8bd3ac491c7c20a8d97691efb

Threat Level: Known bad

The file 161db86eb5f9237449a1027c1f63f310N.exe was found to be: Known bad.

Malicious Activity Summary

urelas discovery trojan upx

Urelas family

Urelas

Executes dropped EXE

Deletes itself

Checks computer location settings

Loads dropped DLL

UPX packed file

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-30 21:43

Signatures

Urelas family

urelas

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-30 21:43

Reported

2024-07-30 21:45

Platform

win7-20240704-en

Max time kernel

89s

Max time network

87s

Command Line

"C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe"

Signatures

Urelas

trojan urelas

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe

"C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
KR 112.175.88.207:11150 tcp

Files

memory/2248-0-0x0000000000400000-0x0000000000431000-memory.dmp

\Users\Admin\AppData\Local\Temp\huter.exe

MD5 c823d0ea71e50abd7b92247b560a6a8f
SHA1 e64be127faed759c8802fed04a6421271512fc42
SHA256 72d9404e525ce99d0b60e0f08a01b074bdf9d2b3cfbea09583be4f8c454fedaa
SHA512 a3a96bab9126a3659e37a382c4dd65aa43f62ff5973c60de6386b8718b35f25cfb9dbf1d649e5efd33c051976ded9a8f63f1d96fd5c9a4d04cec19ae4aeb749a

memory/2880-10-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2248-9-0x0000000002BD0000-0x0000000002C01000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 5334015acd267d9ce6e95138f9ed96b2
SHA1 5f0c2ba5938255d9fe446a438a61f37c361fa48d
SHA256 e4d78041ef89777362e4ee0c9a0350529f3e3b497052f718c02258f486f6ecd9
SHA512 3318c6ebb272b190d9745196da2fd29baf79fab2af3518cc7c980667d1197bade7ca0561330d3bd8dafd8bafe4895c1e878d97d8abadf9fefbc2c1267a6b74a8

memory/2248-19-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a01dba4c45102fc15292fd5591166536
SHA1 d96191c30e0f09439d8547f4ededbf6726ccd54b
SHA256 cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904
SHA512 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

memory/2880-22-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2880-24-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2880-31-0x0000000000400000-0x0000000000431000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-30 21:43

Reported

2024-07-30 21:45

Platform

win10v2004-20240730-en

Max time kernel

94s

Max time network

95s

Command Line

"C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe"

Signatures

Urelas

trojan urelas

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-113082768-653872390-2867000172-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\huter.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\huter.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe

"C:\Users\Admin\AppData\Local\Temp\161db86eb5f9237449a1027c1f63f310N.exe"

C:\Users\Admin\AppData\Local\Temp\huter.exe

"C:\Users\Admin\AppData\Local\Temp\huter.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sanfdr.bat" "

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
KR 112.175.88.209:11120 tcp
KR 112.175.88.208:11150 tcp
KR 112.175.88.209:11170 tcp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
KR 112.175.88.207:11150 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3632-0-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\huter.exe

MD5 c0d0014cbb2dab1f19018c9a684932cd
SHA1 070a9bf13ffe41026a2e02b91c27535ffe09085f
SHA256 6ad7cd2f528bc3f711d5b95ce5738b1af8263e7c24c0c630a5007da8f2430519
SHA512 e5375192b24f647dbc195299b274aed2ad3efe49696dc315309b7331ab49f0c3ebb2c809d4848ecb6dee80322e52ef21e4fd20000471531e96a38631d35a7290

memory/772-14-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3632-18-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\sanfdr.bat

MD5 5334015acd267d9ce6e95138f9ed96b2
SHA1 5f0c2ba5938255d9fe446a438a61f37c361fa48d
SHA256 e4d78041ef89777362e4ee0c9a0350529f3e3b497052f718c02258f486f6ecd9
SHA512 3318c6ebb272b190d9745196da2fd29baf79fab2af3518cc7c980667d1197bade7ca0561330d3bd8dafd8bafe4895c1e878d97d8abadf9fefbc2c1267a6b74a8

C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

MD5 a01dba4c45102fc15292fd5591166536
SHA1 d96191c30e0f09439d8547f4ededbf6726ccd54b
SHA256 cc2f9d3db04690b746c18d40c70f8dbc9ca18520b68619d9ccaeac500af98904
SHA512 277a86f44c2648668205cd6c3c9f83feef147a5ad10839a130713eee9c931c26088d4dd95798b1d0e69f3439239abdee79d37656ad3963147a878a9433d60d32

memory/772-21-0x0000000000400000-0x0000000000431000-memory.dmp

memory/772-23-0x0000000000400000-0x0000000000431000-memory.dmp

memory/772-29-0x0000000000400000-0x0000000000431000-memory.dmp